16 February 2008

The Electronic
Frontier Foundation
has obtained an
FBI document
describing a mistake that was made in monitoring someone's email:
the ISP sent the FBI all of the email for the entire domain,
rather than just the suspect's email.

Needless to say, any wiretapping system (whether supplied by an
ISP or the FBI) relied upon to extract legal evidence from a
shared, public network link must be audited for correctness and
must employ strong safeguards against failure and abuse. The
stringent requirements for accuracy and operational robustness
provide especially fertile ground for many familiar risks.

First, there is the problem of extracting exactly (no more and no
less) the intended traffic.

The context then was Carnivore, but the problem is the same.
On the same subject, Matt wrote

More seriously, I suspect that the meat (so to speak) of any
meaningful analysis of Carnivore's security and behavior lies not
in its core source code but rather in the parameters used when it
is actually configured and installed.

Past violations by the government have also included continuing a
wiretap for days or weeks beyond what was authorized by a court,
or seeking records beyond what were authorized. The 2006 case
appears to be a particularly egregious example of what
intelligence officials refer to as "overproduction" — in which a
telecommunications provider gives the government more data than it
was ordered to provide.

The problem of overproduction is particularly common, F.B.I.
officials said. In testimony before Congress in March 2007
regarding abuses of national security letters, Valerie E. Caproni,
the bureau's general counsel, said that in one small sample, 10
out of 20 violations were a result of "third-party error," in
which a private company "provided the F.B.I. information we did
not seek."

From what has been released, the FBI did nothing wrong here. In fact,
they say that they destroyed the unwanted (and unauthorized) emails
when they noticed the problem. But mistakes will
happen. This is why I and others have
warned
about the dangers of too-close linkage to the telecommunications
system: other plausible configuration errors could give malicious
parties access to the network.

Surveillance is difficult. Complexity and interconnections make
it dangerous, too.